Overview
This article describes why the below occurs while attempting to authenticate with the 6-digit code received via email after initiating Multifactor Authentication (MFA) with the /mfa/associate API endpoint before the expected MFA token expiry time (e.g., 10 minutes) is reached:
oob_code is expired
Applies To
- MFA Token Expiry Time
- Email MFA OTP
Cause
This error indicates that the validity period of the One-time Password (OTP) has expired. The OTP has a separate, shorter expiry time than the overall MFA token lifetime.
Solution
The oob_code is expired error occurs because the default validity period for the Email or SMS OTP code has passed. This validity period is shorter than the overall MFA token lifetime.
Key characteristics of the Email/SMS OTP code are:
- The default expiry time is 5 minutes
- The code length is 6 characters
- A maximum of 10 failed validation attempts is allowed per hour
NOTE: The 5-minute OTP code expiry time is separate from the MFA token expiry time. Neither the OTP code expiry nor the MFA token expiry times are configurable.